By Florence Olsen
June 20, 2005
The Office of Management and Budget has issued new security reporting
guidelines  that emphasize contractor oversight and data privacy
protections. OMB officials, however, have not released the scoring
templates used to determine agencies' grades for compliance with the
Federal Information Security Management Act.
Under the 2005 FISMA reporting guidelines issued June 13, agencies
will have to answer new questions about data privacy and contractor
oversight in reports they must submit to OMB by Oct. 7. When OMB
officials added the new questions, they also dropped some old ones.
Agencies, for example, will no longer have to report how many times
they were victims of a malicious code attack because someone in the
agency had not installed a necessary security patch.
The new guidelines emphasize that agencies are responsible for
ensuring that federal contractors maintain appropriate security
controls on equipment used to deliver network or other managed
services. The security controls also apply to contractor support
staff, government-owned and contractor-operated equipment and
contractor-owned equipment in which any federal data is processed or
"Agencies must ensure identical, not equivalent security procedures,"
according to the guidelines. That means agencies must make certain
that federal contractors conduct risk assessments, develop contingency
plans, certify and accredit their systems and everything else that
federal agencies must do to comply with FISMA.
The guidelines further state that those federal and contractor
responsibilities must be spelled out in any contracts that agencies
The guidelines' focus on contractor systems answers some criticisms
that congressional auditors made in a recent report. The Government
Accountability Office faulted OMB in May for not incorporating FISMA
requirements into the Federal Acquisition Regulation, which governs
Federal contractors have expressed mixed reactions to the heightened
attention that GAO and OMB officials are giving to information systems
security. Harold Gracey, executive consultant at Topside Consulting
Group, said federal contractors already do a good job of protecting
government information. But "it is worthwhile to follow up and make
sure what people are saying they're doing is actually happening," he
Others say the new scrutiny is justified. Federal contracts should be
written as outsourcing contracts because that is what they are, said
Jody Westby, managing director at PricewaterhouseCoopers. Most federal
contracts lack adequate oversight provisions and requirements for
contractor systems, she said.
Such provisions are found in most master service agreements in the
private sector because corporate managers treat all such agreements as
outsourcing contracts, Westby said.
Uniform federal contractual language covering not only information
security but also workforce and physical security relative to IT
systems would help ensure that contractors are maintaining proper
security, she said.
If OMB developed standard contractual clauses for security consistent
with FISMA, everyone could benefit, Westby said. "FISMA is an
enterprise security program," she said, and the related policy and
technical guidance developed by the National Institute of Standards
and Technology is "world class -- it's excellent."
"Anybody who is handling data for the federal government should be
able to comply with those standards," Westby said.
But whether the contractor or the agency pays for the additional
security oversight is something that would have to be worked out on a
case-by-case basis if it is not included in standard contracting
language, Westby said. "The cost of who pays for it is a discussion
that needs to be had."
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.